Key Results
Top 100 Techniques in the Sightings Data.
Key Figures
Time Range: Aug 2021 – Sept 2023
1.6M+ Sightings
353 Unique Techniques
198 Countries
Over 300 ATT&CK Software Objects
What’s in the Data
In Sightings 1.0, we had around 1.1M normalized sightings. Sightings 2.0 has around 1.6M sightings and nearly twice as many unique techniques. This provides the Center with a more comprehensive view of what techniques are being used in the wild. Out of 201 core Enterprise techniques, we saw 173 techniques, or 86% of the ATT&CK Framework, in our data.
Sightings Techniques under their corresponding Tactic. (Click to enlarge)
When including sub-techniques, we saw 353 out of 625 techniques and sub-techniques, or nearly 57%. This percentage is lower than the overall technique percentage because we tended to only see a small number of sub-techniques per single technique. However, each tactic was well-represented in our data.
Percentage of Techniques seen per Tactic. (Click to enlarge)
Compared to our previous report, we observed some variations across the top 15 techniques. T1059 – Command and Scripting Interpreter rose in rank from #2 to #1, and T1053 – Scheduled Task/Job, which was the #1 technique last time, didn’t rank in the top 15. Additionally, T1090 – Proxy, T1036 – Masquerading, T1543 – Create or Modify System Process, T1574 – Hijack Execution Flow, T1095 – Non-Application Layer Protocol, and T1218 – System Binary Proxy Execution were also not seen in our top 15 techniques. While the last Sightings report focused mainly on analyzing the top techniques, this time our data included some new information, allowing for additional analysis.
We were able to observe the top techniques by sector, regions, software, platform, and privilege level. We also analyzed the correlation between sectors and regions and how software was used in sectors, platforms, and regions. Overall, over 300 different ATT&CK software objects were seen in our data. Additionally, 20 sectors and almost all countries were represented. To our surprise, outside of the US, nations in South America represented some of our highest sightings. Out of the sectors, most sightings came from the manufacturing sector - twice as much as the next closest sector. We anticipated a more uniform distribution across sectors or the highest sightings from a sector that cyber threat intelligence tends to report on, like the Professional, Scientific, and Technical Services or Information sectors. While we collected sightings from multiple platforms, the vast majority came from Windows environments. Similarly, while we collected sightings from multiple privilege levels, most of the data reflects low-privilege behavior (i.e., user-level). For future reports, we hope to have more sightings from other platforms and privilege levels.
Top 15 Techniques
Percentage of the Top 15 Techniques.
Of all techniques observed between 1 August 2021 to 30 September 2023, the top 15 most observed techniques comprise 82 percent of our sightings. This is lower than our last report, where the top 15 techniques comprised 90 percent of all observed techniques. This difference is likely due to the larger data set analyzed for this report, as well as a wider array of unique techniques seen during this timeframe.
The top 15 Enterprise techniques represent 9 out of 14 ATT&CK Tactics. This demonstrates the range and scope of our most observed data.
Breakdown of Top 15 Techniques by Tactic. (Click to enlarge)
Top 10 NIST 800-53 Controls
Using the Center’s mappings of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 5 to ATT&CK, we can identify which NIST controls are the most effective in protecting against our top 15 techniques. Overall, Access Control, System and Information Integrity, and Configuration Management controls are the most frequently seen.
Top 10 NIST Controls and their coverage of the Top 15 Techniques. (Click to enlarge)
Download Data
Download the cleaned and anonymized Sightings 2.0 dataset.